Overview
KillSec is a relatively new threat actor group, first appearing publicly in October 2023. Initially recruiting individuals skilled in network and web penetration and malware creation, they quickly transitioned beyond hacktivism to establish a Ransomware-as-a-Service (RaaS) operation and offer penetration testing and OSINT services. Their operations suggest origins in the Eastern Europe/Russia region, although they actively recruit internationally. While claiming to prohibit attacks on critical infrastructure, a significant portion (approximately 20%) of their alleged attacks target the healthcare sector, raising serious concerns. Their methods seem focused on extortion rather than sophisticated encryption-based ransomware.
Known Aliases:
Currently, KillSec is the only known alias for this threat actor group.
Country of Origin:
While not definitively confirmed, KillSec’s operations, language use (English and Russian), and thematic content strongly suggest origins in the Eastern Europe/Russia region.
Most Recent Attacks of KillSec:
KillSec has claimed responsibility for several high-profile attacks, including those targeting:
- Ping An: Killsec targeted this Chinese conglomerate, potentially disrupting financial services and exposing sensitive data of millions of customers.
- Yassir: The super app was compromised by Killsec, with reports suggesting data breaches affecting its ride-hailing, food delivery, and grocery services.
- Belfius Bank: Sensitive data of approximately 300,000 customers was leaked online following a ransomware attack orchestrated by Killsec.
- Wilson Tarquin: Specific details about the breach are unclear, but Killsec’s activities often involve ransomware and data exfiltration.
- Trymata: Killsec added Trymata to its victim list, encrypting data and potentially demanding a ransom, though specifics remain undisclosed.
- Skyward Specialty Insurance: This U.S.-based insurance company faced a ransomware attack by Killsec, with sensitive data likely compromised.
MITRE ATT&CK Tactics and Techniques Used by KillSec:
Based on the alleged activities, the following MITRE ATT&CK tactics and techniques are considered highly probable for KillSec:
- Acquire Access:
- T1650: Valid Accounts
- T1078: Valid Accounts
- T1102: Web Service
- T1021: Remote Services
- Execution:
- T1059: Command and Scripting Interpreter
- Discovery:
- T1120: Peripheral Device Discovery
- T1083: File and Directory Discovery
- T1213: Data from Information Repositories
- T1005: Data from Local System
Methods of Attack/Infiltration Used by KillSec:
KillSec’s recruitment efforts, focusing on network and web penetration and malware creation, suggest a multi-faceted approach. Their RaaS offering indicates a reliance on affiliate networks to distribute malware, though the specific strains used are not identified. Their OSINT service suggests information gathering plays a role in targeting victims. The lack of detail regarding encryption in their extortion attempts implies a focus on data exfiltration and direct threats rather than sophisticated ransomware deployment.
KillSec Malware/Ransomware Strains:
Their RaaS offering promotes an “advanced locker” written in C++, but no specific name or technical details are known. Further investigation is needed to identify the specific tools and techniques employed in their attacks.
Additional Information:
- Ransomware-as-a-Service (RaaS) Model: KillSec offers a RaaS program with a $250 entry fee, offering a 12% commission on successful ransom payments. The platform includes a user-friendly control panel accessible via Tor, featuring real-time statistics, a chat function, and a builder tool for customizing ransomware deployments. They are also teasing future additions such as a stresser tool (likely for DDoS attacks), phone call functionality (potentially for social engineering), and an advanced stealer.
- Affiliate Program: KillSec’s affiliate program requires basic English or Russian language skills, indicating an international recruitment strategy. While they claim to prohibit attacks on critical infrastructure, their actions contradict this policy, with a significant percentage of their alleged attacks targeting the healthcare sector.
- Target Selection: KillSec’s target selection differs from other Eastern European/Russian threat actors, with a disproportionate focus on organizations in India and other Asian countries, rather than primarily Western targets. Their motivations for targeting specific countries or industries remain unclear.
- Operational Hours: KillSec’s Telegram activity peaks between 10 AM and 7 PM Moscow time, with the most significant spike between 6 PM and 7 PM. This does not necessarily indicate state affiliation.
